aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Clifton <nickc@redhat.com>2016-08-30 13:38:54 +0100
committerNick Clifton <nickc@redhat.com>2016-08-30 13:38:54 +0100
commit00927233079d1d65826fd611019e9167706b9ec6 (patch)
treec6807426548726e78bb0c0dafde5a25678189d33
parent8941017bc0226b60ce306d5271df15820ce66a53 (diff)
downloadgdb-00927233079d1d65826fd611019e9167706b9ec6.zip
gdb-00927233079d1d65826fd611019e9167706b9ec6.tar.gz
gdb-00927233079d1d65826fd611019e9167706b9ec6.tar.bz2
Fix more potential seg-faults in gprof.
PR gprof/20499 * corefile.c (num_of_syms_in): Return an unsigned int. (core_create_syms_from): Catch a possible integer overflow computing the argument to xmalloc. Also allow for the possibility that an integer overflow in num_of_syms_in means that less space has been allocated than expected.
-rw-r--r--gprof/ChangeLog9
-rw-r--r--gprof/corefile.c17
2 files changed, 24 insertions, 2 deletions
diff --git a/gprof/ChangeLog b/gprof/ChangeLog
index 1081e8f..e5afbf6 100644
--- a/gprof/ChangeLog
+++ b/gprof/ChangeLog
@@ -1,3 +1,12 @@
+2016-08-30 Nick Clifton <nickc@redhat.com>
+
+ PR gprof/20499
+ * corefile.c (num_of_syms_in): Return an unsigned int.
+ (core_create_syms_from): Catch a possible integer overflow
+ computing the argument to xmalloc. Also allow for the possibility
+ that an integer overflow in num_of_syms_in means that less space
+ has been allocated than expected.
+
2016-08-23 Nick Clifton <nickc@redhat.com>
PR gprof/20499
diff --git a/gprof/corefile.c b/gprof/corefile.c
index 2a433a6..e165da2 100644
--- a/gprof/corefile.c
+++ b/gprof/corefile.c
@@ -490,11 +490,11 @@ static char name[BUFSIZE];
/* Return number of symbols in a symbol-table file. */
-static int
+static unsigned int
num_of_syms_in (FILE * f)
{
char type;
- int num = 0;
+ unsigned int num = 0;
while (!feof (f) && fgets (buf, BUFSIZE - 1, f))
{
@@ -531,6 +531,13 @@ core_create_syms_from (const char * sym_table_file)
fprintf (stderr, _("%s: file `%s' has no symbols\n"), whoami, sym_table_file);
done (1);
}
+ /* PR 20499 - prevent integer overflow computing argument to xmalloc. */
+ else if ((symtab.len * (unsigned) sizeof (Sym)) < symtab.len)
+ {
+ fprintf (stderr, _("%s: file `%s' has too many symbols: %u\n"),
+ whoami, sym_table_file, symtab.len);
+ done (1);
+ }
symtab.base = (Sym *) xmalloc (symtab.len * sizeof (Sym));
@@ -564,6 +571,12 @@ core_create_syms_from (const char * sym_table_file)
max_vma = MAX (symtab.limit->addr, max_vma);
++symtab.limit;
+ /* PR 20499 - it is theoretically possible that there are so many
+ symbols in the file that the scan in num_of_syms_in() wrapped
+ around. So be paranoid here and exit the loop if we have
+ reached the end of our allocated table. */
+ if ((unsigned int)(symtab.limit - symtab.base) == symtab.len)
+ break;
}
fclose (f);